Actually, host based authentication using /etc/ssh/known_hosts does mean somethhing.
Instead of using user keys, the user uses the host key and HostAuthentication uses the known_hosts as the repository of keys. I have to look again, but my plan was to introduce a postscript to use this with SSH CA in lieu of the current remoteshell postscript. Each /etc/ssh/known_hosts would consist only of the CA line(s) and each deployment would have the new ssh keys signed by a server to allow each to have a private known_hosts file without having to update it for key churn. It’s like rhosts/hosts.equiv, but with cryptographic assurance with the host key used instead of each user having to manage it. It is why ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host key to sign on their behalf if the sshd_config is so willing. Regrettably, I don’t see my notes handy, I’ll try to find my notes on this topic. From: Kevin Keane <[email protected]> Sent: Tuesday, January 21, 2020 4:00 PM To: xCAT Users Mailing list <[email protected]> Subject: [External] Re: [xcat-user] host based authentication The known_hosts file has nothing to do with host-based authentication. It is used to verify the identity of the host when using SSH with standard user-based authentication. I believe you are thinking of rhosts? Generally speaking, using host-based authentication is highly discouraged for security reasons, but in an xCAT scenario it can make sense. _______________________________________________________________________ Kevin Keane | Systems Architect | University of San Diego ITS | [email protected]<mailto:[email protected]> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | Text: 760-721-8339 REMEMBER! No one from IT at USD will ever ask to confirm or supply your password. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique <[email protected]<mailto:[email protected]>> wrote: Hi, Quick question, before I jump in finding my own solution. Is there anything in xcat that would allow setting up host based authentication? I know root can ssh from the mgmt. node to all the nodes in the cluster. I am referring to user authentication , based on /etc/ssh/known_hosts file, where there is a list of hosts and their respective keys. thanks. _______________________________________________ xCAT-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
